Are Mailchimp & Co. no longer permitted in Europe? - 2. May 2022

Privacy land is in turmoil. Providers have been working for years with pixels, cookies, cohort-learning APIs and customized offers based on them without consent for these “insights”. Users are either simply free pushers of valuable data on their own behalf or are simply ignorant, the accusation goes. The danger situation is misjudged. So he/she must be helped before himself/herself. Europe is in revolt against the US authorities’ understanding of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... and probably large parts of the population, which equate personal data sovereignty with total trust in Google and Facebook. We would be on the verge of Chinese conditions, the total surveillance of the individual. “I have nothing to hide,” says the uninitiated user, before the government signals to him that his social behavior does not conform to the norm and that there is a threat of consequences. So much for the general state of mind. The levels of awareness, perception, regulatory and self-declared protective measures are visibly mixing and shifting. Legal certainty was yesterday.

Objection, says the lawyer, here is the fact and law check in the global grid. It’s about data collection, data storage and data processing in and outside the EU and Switzerland:

In July 2020, the “Privacy Shield” US self-certification for data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... according to European standards was overturned by the ECJ. Max Schrems, a modern and respected data Robin Hood, had struck again with the “Schrems-II” ruling. The USA thus does not have an adequate level of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising....
Subsequently, the Federal Data ProtectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... and Information Commissioner (FDPIC) followed suit and confirmed the ruling for Switzerland as well, “autonomously” and in tow, as we usually do in Switzerland.
In April 2021, the Bavarian State Office for Data ProtectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... declared the transfer of personal data from the email sending software Mailchimp to the USA illegal. However, the office waived the imposition of a fine in this (first) case.
Now for a little bridge: Apple declared in a keynote in June 2021 that, according to its “Mail Privacy Protection”, the company would in future only feed back limited information about the opening and usage behavior of users of advertising emails to the providers. Other so-called ISPs, i.e. providers of mail inboxes such as Google, will follow suit. Insights into opening behavior will become more difficult in the future.Erkenntnisse über das Öffnungsverhalten werden in Zukunft erschwert.
This behavior is a continuation of announcements by large US Internet services and browser providers, which had already announced the end of third-party cookies as a means of user tracking for advertising purposes in 2019 and 2020. Alternative methods are also under heavy fire. These do not involve the use of personal data, but rather those that allow the provider to deliver individualized offers to the user via cookies and data-driven targeting.
These (self-)restriction measures by the big data corporations probably stem from an awakened understanding of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... and are an attempt to strengthen privacy not with regulatory and thus bureaucratic, but with technical means. However, it is only half-hearted if these companies themselves collect a lot of data as “first party cookies” with the user’s consent and use it specifically for their own business model and to expand their own data power.
Many websites of US providers of CRM, email and marketing automationMarketing Automation ist ein Framework bestehende aus Strategie (First Party Data und Marketing), Use Cases und Prozessen, Daten bzw. Customer Data Platform, Technologien, Inhalten, Organisation und Skills sowie dem Rechtsrahmen bzw. dem Consent Management.... software assure that they are in compliance with the GDPR with regard to the retention of personal customer data, which is partly in obvious contradiction with the above-mentioned rulings. Concrete inquiries often remain inadequately answered. It is obvious that these corporations were surprised by the development in Europe. A data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... offensive looks different.

What does this mean in practice for entrepreneurs who want to use data for marketing and sales purposes but are required to protect the personal data of their customers, especially in the EU and Switzerland?:

The GDPR was and is certainly a milestone and a game changer in European data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising.... There will be further rulings that interpret and specify the GDPR. Awareness of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... – as also shown in numerous surveys – has been rising continuously since the DSGVO’s impact in the media. It will set the political and legal agenda for years to come.
The new Data ProtectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... Act DSG will also come into force in Switzerland by mid-2022. Swiss data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... is on a par with that of the EU. In principle, the DPA assumes conformity with the GDPR, but in some areas it has been weakened. New data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... officers in companies will leave their mark. Threats of sanctions to C-level managers will be increased (but no corporate fine). So here in Germany, too, there is a threat of warnings, fines, and possible damage to the company’s image in the event of a breach of the rules.
SMEs are not the primary targets for data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... authorities and courts. The great expense of opening proceedings and providing evidence is usually only worthwhile against large corporations. The storage of personal data for SMEs in the U.S. will in very few cases be judged as a massive and irreversible breach of the rules. The request to restore the rule-compliant state is to be expected, not high fines. So the risk is manageable? If necessary, will it simply be the others who suffer?
Panic is not called for, serious attention is more like it, an internal audit in any case, if this has not already taken place long ago in 2018 with the introduction of the GDPR. It is strongly recommended to aim for a privacy compliant strategy over the next 2-4 years. This involves all aspects of privacy by design and by default in technology, i.e., respecting privacy from the ground up and restraining the hiring and use of data for marketing purposes.
A deliberate approach to U.S. vendors is required. Announcing that everything is fine is no longer enough after the Privacy Shield case. Standard contractual clauses as an alternative legal basis for international data transfer are also insufficient and would have to be clarified bilaterally between the provider and the company, which is far too time-consuming. The only thing that will lead to the desired result is a declaration by the U.S. provider as to when it intends to establish a legally compliant situation with regard to data retention in Europe. If this declaration is made credibly and promptly, the consequences are less costly than migrating quickly to European technology. If the server location Europe and/or Switzerland cannot be guaranteed in 1-2 years, one should be concerned or consider whether one has chosen the right partner in the medium term.
However, it is wrong to claim that European subsidiaries of US providers cannot meet the requirements for legally compliant data storage. The decisive factor is the commissioning of data hosting by a separate and independent service provider (third-party hosting provider), which cannot be obliged to hand over data to US authorities if necessary.

Conclusion:
Ultimately, every entrepreneur must decide for himself or herself how much importance he or she attaches to data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... and whether he or she is willing to accept a fine or reputational damage if he or she is caught in the crosshairs of investigations by the data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... authorities. Data – and especially “first party data”, first and foremost the e-mail address – are an advantage and game changer compared to competitors if used in compliance with the law. “Third party cookies” and the “ubiquitous” tracking of users by technical means have reached the end of their days, and alternatives to them are also viewed critically. A company would do well to collect its own data primarily through direct access to leads and customers, and to develop data sovereignty over the entire customer lifecycle. This data, combined with comprehensive consent managementKundendaten sind wertlos, wenn die Berechtigung zur Nutzung dieser Daten zu Marketingzwecken nicht konsequent zum jeweiligen Kontakt abgelegt werden und dieser rechtliche Status nicht laufend gepflegt wird. Technisch bedeutet eine Einwilligung... and its storage in the EU or Switzerland, should be the core of a differentiating, data-driven marketing and sales strategy. The use of marketing budgets solely for the playout of advertising, posts and ads via third-party providers such as Google, Facebook or programmatic advertising service providers with the aim of driving leads to conversion in the short term is an unsustainable strategy and, above all, strengthens the advertising providers’ data base rather than your own. This is what dependencies and dead ends look like. Regain awareness and full sovereignty over your customer data!

Finally, on our own behalf, we would like to inform our customers and those who would like to become customers in detail about the server locations of the technologies we use:

Salesforce Sales Cloud and Service Cloud EMEA: including Germany.
Salesforce Marketing Cloud: all “relevant” applications in the EU (exc. Social Studio).
Salesforce Pardot: still in USA, EU hosting is planned in 1-2 years.